The notorious cybercriminal group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor’s first ransomware campaign since late 2021.
Having detected this activity in April 2023, Microsoft is tracking financially motivated attackers based on a new taxonomy. Sangria Tempest.
“In a recent attack, Sangria Tempest used the PowerShell script POWERTRASH to load the Lizar post-exploit tool and gain a foothold into the target network,” said the company’s threat intelligence team. Said. “They then use OpenSSH and Impacket to move laterally and deploy the Clop ransomware.”
FIN7 (aka Carbanak, ELBRUS, ITG14) has been linked with other ransomware families such as Black Basta, DarkSide, REvil, LockBit, and threat actors act as precursors to Maze and Ryuk ransomware attacks.
The group has been active since at least 2012 and has a track record of targeting a wide range of organizations across software, consulting, financial services, medical devices, cloud services, media, food and beverage, transportation and utilities.
Another notable tactic in the company’s strategy is a pattern of creating fake security firms, Combi Security and Bastion Secure, to recruit employees to carry out ransomware attacks and other operations.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino, developed by a cybercrime cartel.
FIN7’s use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) exploits a high-severity flaw (CVE-2023-27532) in Veeam Backup & Replication software to gain initial access It was also covered by WithSecure a few weeks ago in connection with an attack on
This latest development shows that FIN7 continues to rely on various ransomware families to target victims as part of a shift in monetization strategy by shifting from payment card data theft to extortion. .
